2006 Aug 23 5:22 PM
Hi all,
I am using SU25 step 2 a,b,c,d to migrate roles (3.1 to 4.6). The main logic of SU25 step 2 is that table USOBT_C is used to insert new auth values. To do this, transaction codes are used to SELECT entries from USOBT_C.
Now the dilemma: which transaction codes are used ? The ones from AGR_TCODES (this means MENU ROLE) or from authorizations under S_TCODE of AGR_1251 (this means authorization tree).
As I know, only the tcodes in MENU are considered but I have heard that the new SU25 (kernel 6.40 I suppose) is able to consider also the S_TCODE auths. I have done many checks (even using the SSM_CUST table with NEW_SU25_EXCHANGE ID and ssm_cust-path = YES), but only MENUS have been considered. Of course all this issue is relevant only if the MENU and S_TCODE are misaligned.
One other dilemma is: if S_TCODES auths are used, what happens when ranges and jolly char (*) are used ?
Many thanks for your help.
Andrea Cavalleri
2006 Aug 23 5:40 PM
Hi,
Let me say I am not exactly sure. But what I feel is that it takes the entries only from AGR_TCODES, the reason being that some times there may be some internally calling transactions from one transaction. So as per the business process we add only that transaction only in S_TCODE rather than adding in directly in the menu as doing that might bring in more authorizations. Since if in SU25 if it refers to the AGR_1251 table then it would bring in unnecessary authorizations in some of the cases which is not a good thing to do as per security. So I feel tha the entries is based only on Menu rather than AGR_1251.
Please let me know if this explanation helps
2006 Aug 24 1:10 AM
Hi,
I have never heard of SU25 being able to consider the S_TCODE entries. Normally, SU25 only considers the tcodes assigned to the menu. In my opinion, it would be a bad idea to consider S_TCODE entries that have been changed or manually inserted for a number of reasons.
For logic on how SU25 handles each relating authorisation object in the role, check out the topic